Malware is quickly making its way into 2019 and it’s taking no prisoners. From IcePick-3PC to ServHelper to FlawedGrace and they are not stopping at any organization’s external defenses. These all are currently active, along with others, and most of the time, they find their way into a network or onto your computer via phishing. And they are even helping each other out to maximize efforts.

ServeHelper is one that should be on the radar of everyone. It has been around since the end of 2018 and its primary goal now is to open up a backdoor on Windows PCs so that TA505, the hacking group behind it, can walk in and help themselves to your data.

But, ServHelper doesn’t stop with that. It also lends a helping hand to FlawedGrace. This group of malware has been around since November 2017. Researchers at Proofpoint have explained some of the detail surrounding this collaboration of malware, but suffice it to say the basics of detecting phishing attacks are really important to protect against this one-two punch.

Both rely on phishing. Most of it is via massive spam campaigns, as opposed to specifically targeting individuals, groups, or industries. It counts on the unwitting victims, curiosity, and our propensity to open attachments and click links without much thought.

Don’t be one of those victims. If you are not expecting a link or attachment, don’t open it. It’s really that simple. If there is a hint of a threat in an email (which phishing email often employ), don’t click. And if there is any doubt what so ever that an email may be phishing, your instinct is probably correct.

Don’t make any sudden movements. Take some time to think about what the messages is saying and remember that if something truly is urgent, the sender will contact you in such a way that has more chance of catching you…such as on the telephone. If it’s in an email, whatever the situation is, can wait a bit.

In this ServHelper attack, an attachment is sent that requests the enabling of macros. There really is no need to enable macros unless you created them or you know who did. These are generally disabled by default, but you should definitely go into the settings of your Microsoft Office products and make sure they are not allowed without asking first. If an attachment does request these, close it and contact the sender to make sure those are truly needed and that he or she did intend to send that attachment.

If you let this malware in, the attackers have remote access and can get your user account information, web profiles, and pretty much whatever they want to find.

FlawedGrace, on the other hand, can take full control of a device it infects. It often does target financial institutions and retailers. It wants your online banking credentials to send to the attackers.

Researchers think there is even another malware campaign being operated by the same TA505 group and that perhaps all of these are being run alongside each other. Possibly this is to make them less traceable and detectable. Be cautious. Don’t help them out.

As cybersecurity researchers are reporting, identity theft scams are improving over time. There’s a resurgence of different types of hacking schemes from several years ago that fell off the radar while newer scams took their places. The reality is, many tricks of the trade were being improved in the background, only to come back with even more sophisticated tactics.

TrickBot is one type of malware that continues to go through many versions since its arrival in 2016. Each tweak over two years included improvements, and a change of focus from other countries to the U.S. in 2017. For TrickBot and its newest version, it’s not just about hijacking banking credentials anymore. And it’s more difficult to detect and defend against than ever.

TrickBot is a financial trojan targeting customers of major banking institutions, as well as past attacks in the U.S. to include Amazon, AMEX, and PayPal. TrickBot uses phishing campaigns designed to trick users into entering their financial data, including passwords, into bogus banking websites designed to look legitimate. The latest spin on the malware uses a fake Excel document alerting users that a file uses an earlier version of Excel, needing an update to view it. Once the user takes the bait, Trojan malware is installed on the device and steals not only usernames and passwords from system applications, but it takes all sorts of browser information like history, cookies, and autofill information. It works on popular browsers like Google Chrome, Internet Explorer, Mozilla Firefox, and Microsoft Edge. Hijacking all that data puts victims at risk of fraud and theft of much more than just banking information. Having that sensitive data also puts TrickBot in a prime position for ransomware, with the threat of locking a device until a ransom is paid.

TrickBot email phishing spoofs legitimate banking websites, offering a juicy bit of information in the subject line such as “Your Payment is Attached.” Many curious and hopeful recipients can’t resist opening the email and clicking on an attachment or a link. Once that happens, the TrickBot Trojan infects, installs and embeds malware on the device. A seemingly innocent email is responsible for stealing banking credentials to start, but then takes so much more.

The lesson is not to assume that everything in your inbox is legitimate, no matter how high spam filters are set. Hackers use an email phishing trojan like TrickBot because it works. Improvements over time are refined not only by the level of damage they cause, but also by creating an improved message that more users respond to. Keeping aware of email phishing means avoiding subjects that aggressively prey on any type of emotion, threaten, or make you believe something is urgent. Those should be deleted immediately. Extreme caution is necessary, and always avoid following embedded links and opening any attachments. If you cannot be 100% sure that link is good to go, verify it independently of any email with the sender. Remember not to enable macros unless you either created them or are certain they are safe. Macro malware is becoming more common these days. If you haven’t checked, make sure your macros are disabled by default.

To succeed, TrickBot is counting on users not having secure email cyber-sense. Don’t be one of them!

Banking Malware Revised To Be Undetectable And Still Steal Your Information

Published April 30, 2018

Some call it PandaBot. Others refer to it as Zeus Panda, but we here in the U.S. know it as the Panda Banker banking trojan. It’s on the move again and finding new targets. But what it’s trying to steal remains the same: Financial login credentials. It uses man-in-the-browser attacks as well as webinjects to be successful. More on those later.

One thing this version is not doing, is repeating any indicators of compromise (IOC) that were used in the past. So the anti-virus and other products that were able to find it in the past, won’t work anymore. That said, it doesn’t mean that’s it is a good idea to give up keeping all antivirus software updated. That is still important because as soon as a new version of malware is discovered, your software will get that information.

What it does mean is that everyone needs to be aware of how it gets onto your computer. Well that answer is getting more difficult to answer these days as there are so many ways criminals are now distributing malware. In the case of Panda Banker, criminals are using a variety of phishing emails that include malicious attachments or links that take people to a website that initiates a download. Below are three examples of active scams:

Once installed, Panda Banker uses search words to determine when to activate. When it finds those related to banking and other sites, it will essentially “steal” your browser and trick you into providing information. This one is looking for certain sites in the following categories to activate:

Sites having to do with payment cards

Web email sites

Video search engine sites

Search engines themselves, such as Bing or Yahoo!

Online shopping sites

Social media sites

Adult content hubs

Once these identifiers are located by the malware, a man-in-the-browser attack takes place. Vulnerabilities in the browser are exploited allowing the attacker to modify web pages, transaction content, or to insert additional information to steal credentials. Basically, they make it appear that you’re entering your details into your financial institution’s site, for example, but really you’re just handing it over the bad actor. Unfortunately, it’s unlikely you will have any idea it’s happening.

Keep the browsers you use updated at all times. Some of them automatically update but may still need to be restarted for the update to take full effect. Others require more interaction from the user. Check on those specifics for what you use.

Malware such as this often make it into a system in the first place via phishing email. So always be on watch for those. It’s getting more difficult to determine what is real and what is not, so if you’re not expecting a link or attachment, don’t click it. Take a moment to call the sender to ensure it’s real. That can save you and your organization a lot of time and headaches.

Organized crime has been in the cybercrime business for quite some time. Now, they are taking malware adaptation to a whole new level of bad. According to the security company ICEBRG, the crime group FIN7, has revised malware to self-replicate and make itself undetectable using most available cyber defense tools. Adding insult to injury, it infiltrates victims’ Microsoft Outlook autocomplete feature to steal email addresses for additional phishing attacks.

All it takes is for one employee at any company to click a malicious link or attachment to set malware like the one FIN7 uses into action. Security and awareness training is any organization’s best defense against attacks like these. This particular attack starts with phishing and once a victim is found, a backdoor called HALFBAKED is implemented and the attack continues.

While having perimeter security tools in place such as firewalls, antivirus, and intrusion detection systems are important, employees should be trained continually on current attacks and mitigation.

When training to look for phishing, a few identifying factors will still give it away:

A sense of urgency is presented that they need to do something immediately

The sender is unknown

Links or attachments in the message are unexpected, even if the sender is known

The language used is not grammatically correct

The message is unprofessionally written

A thorough program should include training as well as a testing process so that any weaknesses with the knowledge of the staff or the program can be addressed and corrected.

Don’t forget to remind everyone that phishing doesn’t only come in the form of email anymore. SMS or text phishing (smishing), popups, malvertising, and even phishing via the telephone (vishing) are still occurring on a regular basis.

Banking Trojans are in no way a thing of the past. In fact, they are being revived as a means for getting malware onto mobile devices. This is no surprise as these handy little computers are usually nearby us at all times. In a recent discovery by the security firm SfyLabs, a formerly common bit of malware for Android, Red Alert has been improved and updated to version 2.0. And this one pulls no punches. It can cause a lot of grief should it land on your device.

This malware can do the following:

Steal login credentials for anything on the device including for financial apps and social media. Researchers know of 60 apps it targets.

Collect the information from your contacts list.

Bypass multifactor or two-factor authentication. This means that even if you are receiving a text or code to enter before access is granted to your accounts, the malware can go around that.

Stop notifications from alerting you including blocking incoming calls related to financial transactions.

This is not expected to be a complete list. Red Alert is expected to be very widely distributed as well. It’s available on a Russian hacking forum for rent at $500 to anyone who wants to use it.

How is Red Alert 2.0 Infecting Android Phones? Red Alert 2.0 has already infected several Android apps delivered on third-party app stores. Installing apps from one of these unofficial app stores is called Sideloading. That’s why it’s important to stick to the official app stores to get all your apps. That would be the Google Play Store for Android, the Apple Store for Apple products, and Blackberry App World if you have one of those. You should know what your store is for whichever device you are using.

There is some positive news. At this time, Red Alert 2.0 only affects older Android devices. If you are using the Nougat or Oreo operating system, you should not be at risk of downloading this right now. This is a good time to update your device if you are using marshmallow or older.

Most have heard of phishing by now and know what signs to look for when reading email, text messages, or even listening to a caller on the phone. It’s also common for files such as Word documents that request for macros to be enabled to be the method of delivery. Now, cybercriminals have found a way to execute malware that doesn’t rely on the familiar macros, JavaScript, or VBA. It simply requires the user to hover the mouse pointer over a hyperlink.

Researcher Ruben Daniel Dodge, who is a cyber intelligence analyst for a Fortune 50 company found that PowerPoint presentations are now being used in this way. If the PowerPoint file is clicked, the user is presented with a dialogue that simply says “Loading…Please Wait” with an included blue hyperlink. The idea is that the targeted victim will move the mouse over that link and Voila! The malware executes.

This is very tricky indeed and underscores the importance of not opening any attachments in email if the sender is unknown and/or the file is not expected. This cannot be stressed enough. However, going forward it’s also important not to hover the mouse pointer over any links that may arrive in any emails unless there is 100% certainty that whatever is behind it is safe.

As we can see, methods of the cybercriminals are constantly changing and evolving. Every time we think we might just have them figured out, they create a new way to trick us. Keeping our guard up for new tricks of the trade is continuing to be a priority for everyone.

Dodge found that this particular attack opens a backdoor, likely so the attackers can come back at a later time and wreak havoc. However, he wasn’t able to tell at the time he was doing the analysis what was exactly the intention of the backdoor. Perhaps there will be follow up to that later. What was found by SentinelOne researchers is that this one delivered a variant of the banking trojan Tiny Banker (aka Zusy or Tinba).

This email message was seen with files named “order.ppsx” or “invoice.ppsx” and subject lines such as “Purchase order #130527” or “Confirmation.” Keep in mind that while it is possible, most companies don’t use PowerPoint to send out documents meeting these criteria.

Here is additional consideration. If the file is opened in Protected View, which is enabled by default in versions of Microsoft Office that are currently supported, a dialogue does appear letting the user know there is a risk and provides an opportunity to enable or disable content. If “disable” is chosen, and it should be, it will not execute. In addition, the risk may be lowered if users choose to heed the advice of warning that code will be executed when opened in PowerPoint Viewer. If the “decline” option is chose, it also will not be set loose.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.